diff --git a/README.md b/README.md index e6fc2812e..f9e31a8d0 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,7 @@ Note: Upstart/SysV init based OS types are not supported. - [cilium](https://github.com/cilium/cilium) v1.8.5 - [contiv](https://github.com/contiv/install) v1.2.1 - [flanneld](https://github.com/coreos/flannel) v0.13.0 - - [kube-ovn](https://github.com/alauda/kube-ovn) v1.3.0 + - [kube-ovn](https://github.com/alauda/kube-ovn) v1.5.2 - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.1.0 - [multus](https://github.com/intel/multus-cni) v3.6.0 - [ovn4nfv](https://github.com/opnfv/ovn4nfv-k8s-plugin) v1.1.0 diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 8dd5a1f71..0679de648 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -80,7 +80,7 @@ weave_version: 2.7.0 pod_infra_version: "3.3" contiv_version: 1.2.1 cilium_version: "v1.8.5" -kube_ovn_version: "v1.3.0" +kube_ovn_version: "v1.5.2" kube_router_version: "v1.1.0" multus_version: "v3.6" ovn4nfv_ovn_image_version: "v1.0.0" diff --git a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 index ca6ae9414..d405336d1 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 @@ -8,7 +8,7 @@ metadata: kubernetes.io/description: | kube-ovn controller spec: - replicas: 2 + replicas: 1 selector: matchLabels: app: kube-ovn-controller @@ -46,6 +46,8 @@ spec: args: - --default-cidr={{ kube_pods_subnet }} env: + - name: ENABLE_SSL + value: "false" - name: POD_NAME valueFrom: fieldRef: @@ -58,12 +60,16 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + volumeMounts: + - mountPath: /var/run/tls + name: kube-ovn-tls readinessProbe: exec: command: - sh - /kube-ovn/kube-ovn-controller-healthcheck.sh periodSeconds: 3 + timeoutSeconds: 45 livenessProbe: exec: command: @@ -72,9 +78,14 @@ spec: initialDelaySeconds: 300 periodSeconds: 7 failureThreshold: 5 + timeoutSeconds: 45 nodeSelector: kubernetes.io/os: "linux" - + volumes: + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls --- kind: DaemonSet apiVersion: apps/v1 @@ -88,8 +99,6 @@ spec: selector: matchLabels: app: kube-ovn-cni - updateStrategy: - type: OnDelete template: metadata: labels: @@ -112,8 +121,6 @@ spec: runAsUser: 0 privileged: true volumeMounts: - - mountPath: /etc/cni/net.d - name: cni-conf - mountPath: /opt/cni/bin name: cni-bin containers: @@ -131,6 +138,8 @@ spec: runAsUser: 0 privileged: true env: + - name: ENABLE_SSL + value: "false" - name: POD_IP valueFrom: fieldRef: @@ -140,6 +149,8 @@ spec: fieldRef: fieldPath: spec.nodeName volumeMounts: + - mountPath: /etc/cni/net.d + name: cni-conf - mountPath: /run/openvswitch name: host-run-ovs - mountPath: /run/ovn @@ -221,6 +232,8 @@ spec: runAsUser: 0 privileged: false env: + - name: ENABLE_SSL + value: "false" - name: POD_IP valueFrom: fieldRef: @@ -256,6 +269,8 @@ spec: name: host-log-ovs - mountPath: /var/log/ovn name: host-log-ovn + - mountPath: /var/run/tls + name: kube-ovn-tls resources: requests: cpu: {{ kube_ovn_pinger_cpu_request }} @@ -287,6 +302,10 @@ spec: - name: host-log-ovn hostPath: path: /var/log/ovn + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls --- kind: Service apiVersion: v1 diff --git a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 index 6371bc0ca..dfaffca6c 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 @@ -1,3 +1,31 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: kube-ovn + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + --- apiVersion: v1 kind: ConfigMap @@ -27,6 +55,7 @@ rules: - subnets/status - ips - vlans + - networks verbs: - "*" - apiGroups: @@ -81,7 +110,6 @@ subjects: - kind: ServiceAccount name: ovn namespace: kube-system - --- kind: Service apiVersion: v1 @@ -99,7 +127,6 @@ spec: app: ovn-central ovn-nb-leader: "true" sessionAffinity: None - --- kind: Service apiVersion: v1 @@ -117,7 +144,6 @@ spec: app: ovn-central ovn-sb-leader: "true" sessionAffinity: None - --- kind: Deployment apiVersion: apps/v1 @@ -166,6 +192,8 @@ spec: capabilities: add: ["SYS_NICE"] env: + - name: ENABLE_SSL + value: "false" - name: POD_IP valueFrom: fieldRef: @@ -201,12 +229,15 @@ spec: name: host-log-ovs - mountPath: /var/log/ovn name: host-log-ovn + - mountPath: /var/run/tls + name: kube-ovn-tls readinessProbe: exec: command: - sh - /kube-ovn/ovn-is-leader.sh periodSeconds: 3 + timeoutSeconds: 45 livenessProbe: exec: command: @@ -215,6 +246,7 @@ spec: initialDelaySeconds: 30 periodSeconds: 7 failureThreshold: 5 + timeoutSeconds: 45 nodeSelector: kubernetes.io/os: "linux" kube-ovn/role: "master" @@ -240,7 +272,10 @@ spec: - name: host-log-ovn hostPath: path: /var/log/ovn - + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls --- kind: DaemonSet apiVersion: apps/v1 @@ -279,12 +314,18 @@ spec: runAsUser: 0 privileged: true env: + - name: ENABLE_SSL + value: "false" - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: HW_OFFLOAD value: "false" + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName volumeMounts: - mountPath: /lib/modules name: host-modules @@ -304,12 +345,15 @@ spec: name: host-log-ovs - mountPath: /var/log/ovn name: host-log-ovn + - mountPath: /var/run/tls + name: kube-ovn-tls readinessProbe: exec: command: - sh - /kube-ovn/ovs-healthcheck.sh periodSeconds: 5 + timeoutSeconds: 45 livenessProbe: exec: command: @@ -318,6 +362,7 @@ spec: initialDelaySeconds: 10 periodSeconds: 5 failureThreshold: 5 + timeoutSeconds: 45 resources: requests: cpu: {{ kube_ovn_node_cpu_request }} @@ -352,3 +397,7 @@ spec: - name: host-log-ovn hostPath: path: /var/log/ovn + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls